| View previous topic :: View next topic |
| Author |
Message |
gelder
Cadet
Joined: Aug 25, 2006
Posts: 6
Location: USA
|
 Posted: Fri Sep 01, 2006 7:09 pm Post subject: Suspect I have a Rootkit |
|
|
Cannot boot into safe mode.
I have run a variety of malware and virus scanners. They do not find anything wrong. Please check this log.
Logfile of HijackThis v1.99.1
Scan saved at 3:04:36 PM, on 9/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\RCrawler\rcrawler.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\George C. Elder\My Documents\Unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/html/index.cfm?p=16&m=158
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\rcrawler.exe -TRAYONLY
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127764309609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127764291281
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
|
|
| Back to top |
|
 |
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17542
|
| Posted: Sat Sep 02, 2006 7:13 am Post subject: |
|
|
In your previous post (dated Tue Aug 29, 2006 4:25 pm, and now removed) you stated:
| gelder wrote: | | I cannot log on in Safe Mode. I cannot log into Myhealthevet.va.gov in Internet Explorer. (I can with Firefox.) |
Added this as further info for our helpers.
I am moving this topic to the Rootkit Revelations forum. If you really have a rootkit, then we can help you there.
_________________
Microsoft MVP Consumer Security 2006, 2007 & 2008
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
| Posted: Sat Sep 02, 2006 10:35 am Post subject: |
|
|
First, please download Rootkit Revealer
- Unzip it to your desktop.
- Open the rootkitrevealer folder and double-click rootkitrevealer.exe
- Click the Scan button (bottom right)
- It may take a while to scan (don't do anything while it's running)
- When it's done, go up to File > Save. Choose to save it to your desktop.
- Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.
** NOTEBefore performing a scan it is recommended to do the following.
1. Physically unplug the cable from the PC to the internet connection.
2. Close down All Scheduling/Updating + Running Background tasks etc.
3. Launch and run the program.
4. While it is scanning DO NOT use your computer at ALL until the scan has been completed.
5. Save your Log File, and then Enable those things you closed down, or Reboot, and ONLY then Reconnect to the Internet.
This will ensure you have a simpler and clearer log file to analyze.
Second, download GMER from here: http://www.gmer.net/gmer.zip
Run GMER > go to rootkit tab > click copy button > ok. In your next reply, right-click and select paste
_________________
Microsoft MVP - Consumer Security 2008
An Invitation to Think - York University
|
|
| Back to top |
|
|
gelder
Cadet
Joined: Aug 25, 2006
Posts: 6
Location: USA
|
| Posted: Wed Sep 06, 2006 10:31 pm Post subject: |
|
|
I was told to use RootkitRevealer.exe. I did and received: "Scan Complete: no discrepancies found."
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
| Posted: Thu Sep 07, 2006 2:04 am Post subject: |
|
|
Can you please post a GMER log as instructed previously.
What happens when you try to boot into safe mode?
Do you get an error message... does the computer stalls?
What steps did you take for going into safe mode?
_________________
Microsoft MVP - Consumer Security 2008
An Invitation to Think - York University
|
|
| Back to top |
|
|
gelder
Cadet
Joined: Aug 25, 2006
Posts: 6
Location: USA
|
| Posted: Thu Sep 07, 2006 9:53 pm Post subject: |
|
|
Sorry I missed the previous instruction.
When booting I hit the F8 key and the safe mode screen appear. I scroll to Safe Mode, hit Enter and then I get Black screen with "Multi ....." Then the Safe Mode screen appears again.
09/07/06 10:26:02 [Info]: BlackLight Engine 1.0.46 initialized
09/07/06 10:26:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/07/06 10:26:05 [Note]: 7019 4
09/07/06 10:26:05 [Note]: 7005 0
09/07/06 10:26:19 [Note]: 7006 0
09/07/06 10:26:20 [Note]: 7011 1736
09/07/06 10:26:21 [Note]: 7026 0
09/07/06 10:26:21 [Note]: 7026 0
09/07/06 10:26:38 [Note]: FSRAW library version 1.7.1019
09/07/06 10:42:17 [Note]: 7007 0
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
|
| Back to top |
|
|
gelder
Cadet
Joined: Aug 25, 2006
Posts: 6
Location: USA
|
| Posted: Sat Sep 09, 2006 7:02 pm Post subject: |
|
|
Here is m GMER Log:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-09 14:56:57
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
---- Devices - GMER 1.0.10 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F6546800] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F6546800] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F348CC8A
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}
---- EOF - GMER 1.0.10 ----
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1930
|
| Posted: Sat Sep 09, 2006 7:39 pm Post subject: |
|
|
GMER log also showed up clean. As I mentioned, to resolve the safe mode problem, you may need to do a windows-repair. If you have any questions or need any assistance, let me know and I will be glad to help.
_________________
Microsoft MVP - Consumer Security 2008
An Invitation to Think - York University
|
|
| Back to top |
|
|
gelder
Cadet
Joined: Aug 25, 2006
Posts: 6
Location: USA
|
| Posted: Sat Sep 09, 2006 10:12 pm Post subject: |
|
|
Thank you very much for your help.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
